search

centrifugal / jscent

Node.js client to interact with Centrifugo v1 HTTP API
MIT License
11 stars 5 forks source link

HTTPS #6

Closed delprofile closed 7 years ago

delprofile commented 7 years ago

message: 'Request failed with an error', url: 'https://*********.ru:8000/centrifugo/api/', error: { Error: unable to verify the first certificate at TLSSocket. (_tls_wrap.js:1104:38) at emitNone (events.js:105:13) at TLSSocket.emit (events.js:207:7) at TLSSocket._finishInit (_tls_wrap.js:638:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:468:38) code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }, statusCode: null, body: null } can help?

FZambia commented 7 years ago

Hi, I think the reason is custom port here - try using standard port for HTTPS, i.e. 443

delprofile commented 7 years ago

centrifugo on 8000 i have ssl on site... Unix upstream don't work. i used nginx + apache - backend

server {
    server_name hardcsgo.ru www.hardcsgo.ru;
    charset off;
    index index.html index.php;
    disable_symlinks if_not_owner from=$root_path;
    include /etc/nginx/vhosts-includes/*.conf;
    include /etc/nginx/vhosts-resources/hardcsgo.ru/*.conf;
    access_log /var/www/httpd-logs/hardcsgo.ru.access.log;
    error_log /var/www/httpd-logs/hardcsgo.ru.error.log notice;
    ssi on;
    set $root_path /var/www/hardcsgo/data/www/hardcsgo.ru/public;
    root $root_path;
    listen 185.87.49.66:80;
    listen [2a02:f680:1:1100::3985]:80;

    location / {
        location ~ [^/]\.ph(p\d*|tml)$ {
            try_files /does_not_exists @fallback;
        }
        location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
            try_files $uri $uri/ @fallback;
        }
        location / {
            try_files /does_not_exists @fallback;
        }
    }
    location @fallback {
        proxy_pass http://127.0.0.1:8080;
        proxy_redirect http://127.0.0.1:8080 /;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        access_log off;
    }
}
server {
    server_name hardcsgo.ru www.hardcsgo.ru;
    ssl on;
    ssl_certificate "/var/www/httpd-cert/hardcsgo/hardcsgo.ru.crtca";
    ssl_certificate_key "/var/www/httpd-cert/hardcsgo/hardcsgo.ru.key";
    ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4:!RSA+3DES;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    add_header Strict-Transport-Security "max-age=31536000;";
    ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
    charset off;
    index index.html index.php;
    disable_symlinks if_not_owner from=$root_path;
    include /etc/nginx/vhosts-includes/*.conf;
    include /etc/nginx/vhosts-resources/hardcsgo.ru/*.conf;
    access_log /var/www/httpd-logs/hardcsgo.ru.access.log;
    error_log /var/www/httpd-logs/hardcsgo.ru.error.log notice;
    ssi on;
    set $root_path /var/www/hardcsgo/data/www/hardcsgo.ru/public;
    root $root_path;
    listen 185.87.49.66:443;
    listen [2a02:f680:1:1100::3985]:443;

    location / {
        location ~ [^/]\.ph(p\d*|tml)$ {
            try_files /does_not_exists @fallback;
        }
        location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
            try_files $uri $uri/ @fallback;
        }
        location / {
            try_files /does_not_exists @fallback;
        }
    }
    location @fallback {
        proxy_pass http://127.0.0.1:8080;
        proxy_redirect http://127.0.0.1:8080 /;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        access_log off;
    }
}
FZambia commented 7 years ago

You are posting to https://*********.ru:8000/centrifugo/api/ - try to get rid of port part - i.e. use sth like https://*********.ru/centrifugo/api/ and proxy requests to Centrifugo.

delprofile commented 7 years ago

Так я и написал что не отрабатывает у меня прокси nginx, он возвращает файл при обращении, хотя и мем типы прописываю и тд.

FZambia commented 7 years ago

Please look at this - looks similar to your current problem. And pay attention to:

one of the most common causes for this issue is that your certificate does not embed its intermediate CA certificates. Try fixing your certificate before trying anything else

delprofile commented 7 years ago

it's not a decision to use a third-party module when there is ssl support in the reguest module, maybe you should add to jscent variables when structSSL for the agent to get by using standard methods?

FZambia commented 7 years ago

Not sure what you mean. There are 2 possible solutions:

1) Fix your certificate chain 2) Disable certificate verifying in jscent (not secure)

FZambia commented 7 years ago

If you follow links on SO - there is a link to https://www.npmjs.com/package/ssl-root-cas where author describes possible solutions without using that module. Maybe it helps...

delprofile commented 7 years ago

u meen NODE_EXTRA_CA_CERTS='./path/to/root-cas.pem' node example.js don't work, i checked

FZambia commented 7 years ago

Btw, as temporary solution you can use this code before calling jscent functions:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
delprofile commented 7 years ago

@FZambia , I know, but it's not a good idea to disable the protection. At night I tested debian 9.1 and this problem is not there, I think the problem in ca-certificate is 8.9 since root ca Let's Encrypt is not included in the standard package.

delprofile commented 7 years ago

solution here https://github.com/centrifugal/centrifugo/issues/192